Base Score

HIGH7.2

CVE-2020-12827

MJML prior to 4.6.3 contains a path traversal vulnerability when processing the mj-include directive within an MJML document.

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 17, 2020, 14:15

Affected Versions(1)

mjml(npm)

Introduced0

Fixed4.6.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
mjml(npm)	0	4.6.3	N/A

Weakness Type (CWE):CWE-22

CVSS Metrics

Base Score

7.2

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

LOW

References

http://packetstormsecurity.com/files/158111/MJML-4.6.2-Path-Traversal.html
http://seclists.org/fulldisclosure/2020/Jun/23
https://github.com/mjmlio/mjml/commit/30e29ed2cdaec8684d60a6d12ea07b611c765a12
https://github.com/mjmlio/mjml/releases/tag/v4.6.3
https://mjml.io/community
https://rcesecurity.com
https://twitter.com/mjmlio

Base Score

HIGH7.2

Weakness Type (CWE):CWE-22

CVSS Metrics

Base Score

7.2

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

LOW